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ICO consultation on the draft updated data sharing 
code of practice 


Data sharing brings important benefits to organisations and individuals, 
making our lives easier and helping to deliver efficient services. 


It is important, however, that organisations which share personal data 
have high data protection standards, sharing data in ways that are fair, 
transparent and accountable. We also want organisations to be confident 
when dealing with data sharing matters, so individuals can be confident 
their data has been shared securely and responsibly. 


As required by the Data Protection Act 2018, we are working on updating 
our data sharing code of practice, which was published in 2011. We are 
now seeking your views on the draft updated code. 


The draft updated code explains and advises on changes to data 
protection legislation where these changes are relevant to data sharing. It 
addresses many aspects of the new legislation including transparency, 
lawful bases for processing, the new accountability principle and the 
requirement to record processing activities. 


The draft updated code continues to provide practical guidance in relation 
to data sharing and promotes good practice in the sharing of personal 
data. It also seeks to allay common concerns around data sharing. 


As well as legislative changes, the code deals with technical and other 
developments that have had an impact on data sharing since the 
publication of the last code in 2011. 


Before drafting the code, the Information Commissioner launched a call 
for views in August 2018. You can view a summary of the responses and 
some of the individual responses here. 


If you wish to make any comments not covered by the questions in the 
Survey, or you have any general queries about the consultation, please 


email us at datasharingcode@ico.org.uk. 


Please send us your responses by Monday 9 September 2019. 


Privacy Statement 


For this consultation, we will publish all responses except for those where 
the respondent indicates that they are an individual acting in a private 
Capacity (e.g. a member of the public). All responses from organisations 
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and individuals responding in a professional capacity will be published. We 
will remove email addresses and telephone numbers from these 
responses; but apart from this, we will publish them in full. 


For more information about what we do with personal data please see our 
privacy notice. 


Questions 


Note: when commenting, please bear in mind that, on the whole, the 
code does not duplicate the content of existing guidance on particular 
data protection issues, but instead encourages the reader to refer to the 
most up to date guidance on the ICO website. 


Qi Does the updated code adequately explain and advise on the new 
aspects of data protection legislation which are relevant to data 
sharing? 


w 


K No 


Q2 If not, please specify where improvements could be made. 


The sharing of personal data for research purposes in the case 
study on page 100 is unclear and should clarify whether consent 
is required in that example or not, rather than say “the school 
might wish to obtain parent’ consent but other lawful basis 


would be available to it”. A further clarification on the 
requirements to sharing data for research purposes between the 
NHS and research institutes e.g. Universities would be useful. 


Q3 Does the draft code cover the right issues about data sharing? 
Yes 


[| No 
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Q4_—s If no, what other issues would you like to be covered in it? 


Q5 Does the draft code contain the right level of detail? 
L] Yes 


K No 


Q6 If no, in what areas should there be more detail within the draft 
code? 


Some areas need more detail, for example when Data Sharing 
Agreements (DSAs) should be used and when they should not be 
used, and examples of DSA formats. 


Q7 Has the draft code sufficiently addressed new areas or 
developments in data protection that are having an impact on your 
organisation’s data sharing practices? 


[|] Yes 


K No 
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Q8__siIf no, please specify what areas are not being addressed, or not 
being addressed in enough detail 


While the draft code states that it is good practice to have DSAs 
in place and sets out benefits of the DSAs, it lacks clarity on 
when DSAs should be used and when not, and if used what 
format they could take. 


The draft code mentions that a DSA should contain reasons for 
sharing etc. If the organisation already keeps a record of 
processing activities and has adequate privacy notices in place, 
it would be a repetition to include this information in DSAs? It 
would also be onerous to add diagrams in DSAs, unless this was 
part of a process relating to a specific data sharing process or 
procedure. For this reason, as also mentioned below, an 
example of the different types DSAs would be helpful. 


The draft code states there is no formal set format for a DSA and 
it can take a variety of formats depending on the scale and 
complexity of data sharing. Does this mean that there may be 
situations where a DSA is not necessary but a ‘common sense’ 
procedure that insures the data sharing complies with data 
protection law requirements is sufficient? An example of DSAs 
and situations where these can be used would be useful. 


The draft code mentions that the DPO "should be closely 
involved from the outset in any plans to enter into a data 
sharing arrangement”. This would be onerous in large 
organisations. 


Q9 Does the draft code provide enough clarity on good practice in data 
sharing? 


[|] Yes 


K No 


Q10 If no, please indicate the section(s) of the draft code which could be 
improved, and what can be done to make the section(s) clearer. 


1CO. 


information Commissioner's Office 


More clarity is needed on situations where DSAs are necessary 
or alternative ways of demonstrating accountability especially 
where data sharing is on a routine basis. The guidance should 
make it clear the precise legal requirements for sharing data, 
and then separately, what the ICO would consider to be best 


practice and how sharing personal data can be documented in an 
alternative manner, and be legal compliant. 


Q11 Does the draft code strike the right balance between recognising 
the benefits of sharing data and the need to protect it? 


Yes 


O No 


Q12 If no, in what way does the draft code fail to strike this balance? 


Q13 Does the draft code cover case studies or data sharing scenarios 
relevant to your organisation? 


[|] Yes 


K No 


Q14 Please provide any further comments or suggestions you may have 
about the draft code. 
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The draft code is very repetitive, which has led to a very lengthy 
document; there is a risk that people may miss some of the 
important parts when used as a reference. 


Sharing personal data for research in the NHS and University 
sectors has not been adequately covered. 


Q15 To what extent do you agree that the draft code is clear and easy 
o understand? 


ert 


Strongly agree 


L 

Agree 
O Neither agree nor disagree 
L Disagree 

O Strongly disagree 

Q16 Are you answering as: 


O An individual acting in a private capacity (e.g. someone 
providing their views as a member of the public of the public) 


L] An individual acting in a professional capacity 
On behalf of an organisation 
O Other 


Please specify the name of your organisation: 


The University of Birmingham 


Thank you for taking the time to share your views and experience. 


